
Master Kev Parameter 


Value (example) 


Serial Number 


1075633339231884 


MKS 


BC017544-19491-119A3 


MKR 


EA910012-10445-193B3 


MKJDS 


71ACEF1-19311-AE110 


PIN NUMBER 


"NEWC01234" 



FIG. 3 



10 



Install admin, 
software 



FIG. 4 



Execute admin, 
software 




Master key \ No 
inserted 
? 



Yes 
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Insert master key 



Unlock master key 
with transport PIN 



35 



Generate MK IDS 



1 


No ^460 






Correct PIN 
unlocks master key 




Generate MKS and 
MKR 










Obtain master key 
serial number 




Install MK_DDS, 
MKS, etc. 










Open key database 




Correct PIN locks 
master key 
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Perform key 
management 




Create key 
database 



i 
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Insert master key 



i 
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Proper PIN unlocks 
master key 



k £ 
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Retrieve MKJDS 
and serial number 



k £ 



525 



Open key database 



k t 



530 



Insert new client 
key 



V t 



535 



Retrieve client key 
serial number 




Decrypt key record 
withMK IDS 



FIG. 5 




550 



^00 



1 



550 



Copy MKS and 
MKR to client key 



£ 



555 



Generate client 
CKJDS for key 



,560 



Create client record 
for key database 



1 



565 



Encrypt CKJDS 
withMK IDS 



1 



570 



Write record to 
key database 



Yes 
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Execute AP key 
mgmt. routine 






Insert AP Key 




f 




Correct PIN unlocks 
APkey 



1 r 



Enter/store admin 
parameters, etc. 



35 



Install NKS and 
NKR 



1 r 



Create and install 
AP IDS 



600 



Display appropriate 
AP key parameters 



Yes 




1 


No ^655 


Display appropriate 
AP key parameters 




r 



Yes 




FIG. 6 
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Select desired AP 
from list 




,115 
f k 


Authenticate AP 
using AP key 




mo 


Retrieve 
APJDS 
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Build client key file 




30 



Encrypt client key 
file 



1 ? 

Transfer client key 
file to AP 



.800 
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Authentication Request Frame sent to AP 



Authentication 
Algorithm Number 


Authentication 
Transaction Seq. 
Number 


Status 
Code 


Challenge Text 


CRC 


"3" 


It J »J 


0 


Client key serial number, [Rl] random number 
encrypted with CK_IDS 2 
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Authentication Response Frame returned to Client 



Authentication 
Alg^thra Number; 


Authentication 
Tr|nsaction|Seq. f 
Number 5 


Status 

H- Codif 


Challenge Text 


CB;C 


"3" 


**2" 


0 


[R2] encrypted with CK_IDS 2 
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Client sends challenge to access point 
comprising client key serial number 
and first random number (Rl) 
encrypted with CK_IDS 2 . 



.1010 



i 



1000 



1 



1015 



Access point retrieves CKJDS 2 from 
its client key database using client 
key serial number 



1020 



,1030 



Access point decrypts challenge 
with CK_IDS 2 and retrieves Rl 




Client device authenticated; 
place MAC in "Authorized 
Users" table. 



1035 



Access point obtains second 
random number (R2) generated 
in AP key. 



Client device not 
authenticated; place MAC 
in "Do Not Allow" table. 



1040 



Access point encrypts R2 with 
CK_IDS 2 and sends second 
challenge to client device 



,1045 



Client device decrypts second 
challenge with CK_IDS 2 to 
extract R2. 



i 



1055 



Access point 
authorized and begin normal 
communications. 



Yes 
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Access point 
NOT authorized and abort 
network communications 



i 
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Client sends challenge to access point 
comprising client key serial number 
and first random number (Rl). 



i 



1115 



Access point retrieves client 
key serial number and Rl 



1120 



Access point retrieves CKJDS 
using client key serial number 



1125 



Access point obtains second 
random number (R2) generated 
in AP key. 



1130 



Access point sends challenge to 
client comprising Rl encrypted with 
CKJDS (Rle) and R2. 



i 



1135 



Client device decrypts Rle with 
CKJDS and retrieves R2. 



1140 




Yes 



i 



1100 



1170 





Client device authenticated; 
place MAC in "Authorized 
Users" table. 






A 


i 




^1165 




Client device not 
authenticated; place MAC 
in "Do Not Allow" table. 




Yes 


A 








1160 



i 



1155 



Access point decrypts R2e with 
CKJDS. 



i 



1150 



Client device sends third 
challenge comprising R2 
encrypted with CKJDS (R2e). 




1145 



Access point not authorized, 
abort network authentication. 
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